Re: simple chroot environment rc.d script

On Thu, Aug 23, 2012 at 03:46:06PM +0200, iMil wrote:
>
> >you're going to use null mounts. The most obvious issue is that a
> >full copy of /dev is provided to the application, when what you really
>
> Well actually, it only creates the standards devices (MAKEDEV std), not
> a full copy:
>
> constty klog ksyms null stdin tty
> console drum kmem mem stderr stdout zero
>
> But I probbaly don't need all of these, null, zero and random should be
> enough.
Actually, you probably need at least stdin, stdout, stderr, tty, and
possibly fdesc mounted on /dev/fd. But providing a way for a chrooted
process to get a descriptor for drum, kmem, or mem is just not right.
Then, generally speaking, anything mounted writable should have nodev
and, unless there's some reason why not, noexec too. That way you have
some chance of controlling what runs.
Thor